Jump to content

tor, not as safe as you thought ....


Recommended Posts

source : http://derangedsecurity.com/

This is going to be a long post, several important things needs to be said. It’s important you read it to the end.

We choose to wait this long before posting the whole story to give not only governments time to secure themselves but also to protect private users and businesses. The affected on the list has by now figured out that we had passwords to many more than just the 100 we posted and secured ALL their accounts. Many of the private/company users have by now received our e-mails warning them, few responses though. Remember that we found this kind of information on thousands of users, some of them being fortune 500 companies and Nasdaq and New York noted companies. The information we gathered is not worth millions, it’s worth billions in the right hands. So anyone questioning my actions can go fuck yourself, I didn’t make a penny of this except getting myself in trouble.

No accounts have been hacked, you have been actively exposing them yourself not only to us but to about 1000 others all over the world, every day. This has been told about many times before which you choose to ignore. The team behind the product is completely open with this security threat but they probably should have made a bigger warning text I guess. For us to publish yet another warning or for the vendor to tell you again would have gotten no effect once more.

We choose to publish 100 sensitive accounts for Governments in full disclosure to get heads turned. Remember that it still was thought of as a hoax from both users and admins everywhere until a crazy journalist in India started publishing stuff from some accounts. Posting parts of passwords and we would still be having denials and no actions today.

Did the account owners know about it? Of course they did! Most journalists had already talked to the embassies about the expose and got told that the security was fine and no one could know the passwords. This long before it started spreading and people starting using the accounts.

Having Governments all over the world working against me is fun to follow. Trying to pull focus away from themselves being idiots and over to me by using the term “hacker”. The journalist loves that word and I see it more and more next to my name. I’m not a hacker and haven’t broken into anything illegally. Whoever says that is welcome to prove it, probably easier to prove that I killed JFK. I’m a security specialist doing this stuff every day, always under controlled terms and completely legal. However being a bit DEranged I sometimes walk in the gray zone, exactly what it takes get stuff done. I fight criminals but when we have to play by the rules and they don’t it’s a tuff battle. Computer Crimes are real, they are everywhere and they are using your ignorance!

Alright, with the boring stuff said this is how we did it:

#1 Five ToR exit nodes, at different locations in the world, equipped with our own packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for words like “gov, government, embassy, military, war, terrorism, passport, visa” as well as domains belonging to governments. This was all set up after a small experiment looking into how many users encrypt their mail where one mail caught my eye and got me started thinking doing a large scale test. Each user is not only giving away his/her passwords but also every mail they read or download together with all other traffic such as web and instant messaging.

Did you get it? These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about. Yes, two are getting encrypted traffic but that last exit node is not. There are hundreds of thousands ToR-users but finding these kinds of accounts was… hmm… chocking! The person who wrote the security policy on these accounts should reconsider changing profession, start cleaning toilets! These administrators are responsible for giving away their own countries secrets to foreigners. I can’t call it a mistake, this is pure stupidity and not forgivable!

ToR isn’t the problem, just use it for what it’s made for.

#2. I’ll have a lot of people to thank for helping me here, you all know who you are white-hats and friends out there. ToR has about 1000 nodes set up to handle exit-traffic (unencrypted). These are the servers all you traffic is going to be sent through. Of course you know everything about them, right? I had five running during this test that no one knew about, who owns the others?

Just to give you something to think about we did look into a few servers out of 1000 we thought looked interesting. We aren’t trying to tell you what to think, you will have to do that yourself.

Example of Exit-nodes that can read your traffic:

• Nodes named devilhacker, hackershaven…

• Node hosted by an illegal hacker-group

• Major nodes hosted anonymously dedicated to ToR by the same person/organization in Washington DC. Each handling 5-10TB data every month.

• Node hosted by Space Research Institute/Cosmonauts Training Center controlled by Russian Government

• Nodes hosted on several Government controlled academies in the US, Russia and around Asia.

• Nodes hosted by criminal identity stealers

• Node hosted by Ministry of Education Taiwan (China)

• Node hosted by major stock exchange company and Fortune 500 financial company

• Nodes hosted anonymously on dedicated servers for ToR costing the owner US$100-500 every month

• Node hosted by China Government official

• Nodes in over 50 countries with unknown owners

• Nodes handling over 10TB data every month

We can prove all this but not the intentions of each server. They might be very nice people spending a lot of money doing you a favor but it could just as well be something else. We don’t however think it’s weird that Universities are hosting nodes, just that you need to be aware of it. Criminals, hackers and Governments are running nodes, why?

This experiment has proven another major problem regarding Computer Security. Even though I haven’t broken into anything which people blame me for, it’s obvious that laws for computer crimes are problematic. Laws don’t work over boarders but the Internet and the criminals do.

This world experiment has never been done before, what would happen if someone was DEranged enough to post a list completely public worth millions exposing Governments. We got this message out to at least 157 countries and billions of people in just a week. I’ll have to say that even it if took 5 days to get 70% fixed that was fast compared to what I’m used to.

I would like to say special thanksto the people of India, Iran and Uzbekistan who has been extremely supporting. And fuck all of you who are filing police reports on me, you are idiots and are only proving that you haven’t understood anything.

PS: Data and hard drive on each node is destroyed and I forgot everything somehow ;-)

“There is no eeeeeeeeeeennnnnnndddddd to the possibilites”


Where did we go?

Our site got shut down and we stood there not knowing why, couldn’t get any information from anyone. You aren’t going to like the answer we just dug up.

* American law enforcement officials requested DEranged Security to be taken down *

Woho, we pissed the US of! But why? Millions of people have already read the story and tens of thousands have those passwords. Monsters don’t go away when you close your eyes. Security by obscurity in its finest hour, staring the US law enforcment!

Suddenly we have something that is on everyone’s mouth and getting security tightened all over the world from private to companies to governments and you go about this way? Do you have any reason for trying to stop this behavior? I’ve seen people saying that the US would be angry now that we forced foreign countries to tighten their security so NSA or whatever can’t read their secrets any longer. To me it sounds like bullshit taken out of a bad book but after this silly little stunt I’m reconsidering. Is there any reason you DO NOT want people to secure their systems? Please, do go grab the server, of course I put copies there with secret stuff! Pathetic…

Well about the case… They only people on the list who has been willing to talk to me so far are Iran. A big gold medal to Iran! Very nice talking to you and I appreciate our chat greatly.

* Ironic that suddenly Iran are the good guys and US the bad ones *

Directly to the people in the security industry out there to clarify some stuff. There is no exploit to publish, no vendor to contact. This have been told about before with no reactions. Publishing it yet one more time wouldn’t have changed crap. Even after publishing a full disclosure list like we did, it was first thought of like BS and done nothing about. And to Symantech and F-secure who likes to give speeches, try to get your facts right the next time. We don’t want you to embarasse yourself, you will surely use this to sell more of your product I trust. And while I have your attention anyway, F-secure, I still have your domain and been waiting for your information where to transfer it…

This is all for now, busy days cleaning out the apartment for anything that could look to be used by terrorists (good thing I don’t have any flight simulation games!). We all know how law (doesn’t) works in the US…

“America is the only country that went from barbarism to decadence without civilization in between.”


Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...